Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for December 2016

VPN Firms Set for a Great 2017 Thanks to Snoopers’ Charter

VPN Firms Set for a Great 2017 Thanks to Snoopers’ Charter

Virtual private network (VPN) providers are reporting an upsurge in interest from UK citizens keen to avoid state snoopers after the controversial Investigatory Powers Bill was passed.

Despite widespread opposition from rights groups, legal experts and the public – but crucially not the Labour Party – the Snoopers’ Charter was made law at the end of November.

It enshrines sweeping mass surveillance powers into law and forces ISPs to retain the web browsing records of everyone in the country for up to 12 months.

Also included is the potential for the government to demand backdoors in products in order to allow it to surveil the populace in the name of national security.

Over the summer, two surveys highlighted widespread opposition to the proposals.

Over three-quarters (76%) of respondents to a Venafi study said they were concerned the law would green light increased government snooping power, while 90% of those polled by Liberty were against the legislation.

Unsurprisingly, reports have been coming in that concerned netizens are now looking for technology solutions to uphold their privacy rights.

VPN provider Private Internet Access claimed that it had seen a 20% increase in signups from the UK in the week following parliamentary approval of the IP Bill, and rival NordVPN said that inquiries from the UK had almost tripled following the move.

The firm claimed it has doubled encryption between the UK and its servers in the Netherlands as a precaution.

It should be remembered for anyone considering a VPN that not all providers offer the same levels of anonymity.

Netizens should obviously avoid any providers based in the UK, as they would be subject to demands to access communications from the authorities.

It’s also important to choose a provider which doesn’t store any record of user activity or identity like IP address. A handy guide has been compiled by Comparitech here.

The European Court of Justice (CJEU) this week effectively prohibited the kind of mass surveillance outlined in the Snoopers’ Charter, in a landmark ruling.

However, that’s unlikely to have much effect on the government’s plans, given the UK is set to leave the EU, and therefore the court’s jurisdiction, following the Brexit vote.

Source: Information Security Magazine

Researchers Discover New Lean and Mean ATM Malware

Researchers Discover New Lean and Mean ATM Malware

Security experts are warning of a new malware family designed to target and raid ATMs running the popular Microsoft XFS middleware.

Detected as BKDR_ALICE.A. the “Alice” malware is the leanest ATM threat of its type ever analyzed by Trend Micro, the firm’s senior threat researchers David Sancho and Numaan Huq claimed in a blog post.

Probably in the wild since at least October 2014, it first checks to see if the ATM is running an Extensions for Financial Services XFS environment before beginning.

Once the hacker enters a four-digit PIN based on the ATM’s terminal ID, it will bring up an operator panel displaying the various “cassettes” loaded with money inside the machine.

The attacker can then empty each cassette at will.

The four-digit code is apparently included to prevent individual groups of mules sharing the malware with each other and bypassing the rest of the cybercrime operation.

“Several things stand out about Alice. It is extremely feature-lean and, unlike other ATM malware families we have dissected, it only includes the basic functionality required to successfully empty the money safe of the ATM,” wrote Sancho and Huq.

“It only connects to the CurrencyDispenser1 peripheral and it never attempts to use the machine’s PIN pad. The logical conclusion is that the criminals behind Alice need to physically open the ATM and infect the machine via USB or CD-ROM, then connect a keyboard to the machine’s mainboard and operate the malware through it.”

Although Alice uses a commercial off-the-shelf packer to make analysis and reverse engineering more difficult, as ATM malware goes mainstream it is expected that the black hats will develop custom packers and other obfuscation techniques.

In related news, Positive Technologies is trumpeting research which led to the discovery of a zero day vulnerability in Intel Security’s Solidcore ATM product designed to protect Windows-based cash-points.

Hackers could have used the bug to successfully target banks using customized malware, according to the vendor.

“The core protection for ATMs has to be regular security audits, the creation of secure ATM configuration policies, combined with continuous monitoring for compliance with these requirements. Such monitoring would significantly increase ATM protection from attacks exploiting simple vulnerabilities – such as Kiosk mode bypass and the absence of BIOS passwords,” explained lead security evangelist, Alex Mathews.

“For real-time detection of targeted attacks, the recommendation is to use security information and event management systems (SIEM) to detect suspicious activities or event sequences – such as the connection of any devices to an ATM, an unexpected reboot, the repeated depression of keys, or the execution of unauthorized commands.”

Source: Information Security Magazine

Wassenaar Arrangement: Still No Deal Reached

Wassenaar Arrangement: Still No Deal Reached

Security researchers have been left in the lurch after negotiators failed to find a breakthrough in talks designed to update a controversial export treaty which currently treats white hat hacking tools like weapons.

The Wassenaar Arrangement is a 41-country pact to restrict the export of weapons and “dual use” technologies.

It was updated in 2013 to include “intrusion software” in a bid to prevent repressive regimes getting their hands on tools which could help them monitor dissidents and political activists.

However, the security industry revolted, claiming the language used in the update was too broad and would also require researchers to apply for export licenses simply to share code and tools with colleagues and partners across borders – hampering white hat efforts.

The US government finally recognized this in 2015 and has since been trying to persuade all countries involved to agree on new language – but that has proven too difficult this year.

Congressman Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, expressed disappointment at the outcome.

“For over a year, I have led my colleagues in Congress in calling for a careful review of these controls, which could harm our nation’s cybersecurity by making it more difficult to quickly share defensive tools and close vulnerabilities,” he said in a statement. “The small changes clarifying the role of ‘command and control’ functionality that were made at the annual meeting, while needed, are simply insufficient to address the broader flaws in the language.”

Harley Geiger, director of public policy at Rapid7, argued that without the changes, the arrangement would impede the work needed to advance cybersecurity efforts around the globe.

“Although some helpful changes were made, the problematic ‘technology’ category definition was not changed,” he explained. “This broad description could result in security researchers and companies having to obtain export licenses in order to share exploit code across borders. Sharing this kind of information is currently a relatively routine part of identifying and mitigating security vulnerabilities.”

The hope is that the Trump administration will continue to fight for changes to the language in the pact.

Source: Information Security Magazine

US House Judiciary: Encryption Critical to National Interests

US House Judiciary: Encryption Critical to National Interests

Established in the wake of the FBI/Apple iPhone unlocking controversy, the US House of Representatives’ Encryption Working Group (EWG) has issued a strong recommendation in favor of the use of encryption for private communications.

“Any measure that weakens encryption works against the national interest,” the group said in its year-end report. “Congress should not weaken this vital technology.”

The group is a joint effort of the US House Judiciary Committee and the House Energy and Commerce Committee, and includes two Republicans and two Democrats from each Committee, as well as the chairmen and ranking members of the respective Committees serving as ex officio members.

Back in February, a federal magistrate judge in the US District Court for the Central District of California issued an order requiring Apple to assist the FBI in obtaining encrypted data from an iPhone related to a 2015 shooting in San Bernardino, Calif. Apple resisted the order, but the FBI pursued a different method to access the data stored on the device. Nevertheless the case, and the heated rhetoric exchanged by parties on all sides, reignited a decades-old debate about government access to encrypted data.

The group acknowledged the position of Apple and other entities as it explained the rationale for protecting encryption:

Representatives of the national security community told the EWG that strong encryption is vital to the national defense and to securing vital assets, such as critical infrastructure. Civil society organizations highlighted the importance of encryption for individual privacy, freedom of speech, human rights, and protection against government intrusion at home and abroad. Private sector stakeholders—in particular, their information security officers—and members of the academic community approached the question from an engineering perspective—against a wide array of threats, foreign and domestic, encryption is one of the strongest cybersecurity tools available.

However, the group also noted that encryption policy must address the legitimate concerns of the law enforcement and intelligence communities.

“To be clear, the widespread adoption of encryption has had a profound impact on the law enforcement community,” the report noted. “Even with a lawful court order, even in dire circumstances, the authorities may not have access to encrypted data. To this end, Congress should explore proposals that have so far received little attention in the committees, but may offer valuable assistance to law enforcement agencies in a digital landscape where default strong encryption is ubiquitous.”

Some ideas include collaboration between the law enforcement community and the technology sector, and information-sharing between different elements of the law enforcement community.

“Public perception and recent tensions notwithstanding, there is already substantial cooperation between the private sector and law enforcement,” the report said. “Private company stakeholders demonstrated an ability to assist federal, state, and local agencies with access to information to the extent possible and with service of a lawful order, and expressed a willingness to explore ways to improve and enhance that collaboration.”

Stakeholders from all sides were nearly unanimous in describing a significant gap in the technical knowledge and capabilities of the law enforcement community, particularly at the state and local levels.

“This results in a range of negative consequences that not only hinder law enforcement’s ability to pursue investigations but also contribute to its tension with the technology community,” the report concluded. “For example, from the perspective of law enforcement, routine requests for data are often challenged by the companies, unnecessarily delayed, or simply go unanswered. From the perspective of the companies, these requests often lack appropriate legal process, are technically deficient, or are directed to the wrong company altogether.”

The working group also noted that a Congressional mandate requiring companies to maintain exceptional access to data for law enforcement agencies would apply only to companies within the United States.

“The consequences for such a policy may be profound, but they are not likely to prevent bad actors from using encryption,” the report stated. “Representatives of various private companies told the EWG that a mandate compromising encryption in the US technology sector would simply shift consumers to products offered by foreign companies. These forces might incentivize larger companies to leave the United States, and render small business and other innovators in the field obsolete.”

Above all, the group warned against engendering a binary debate between law enforcement and private entities.

“Encryption is inexorably tied to our national interests,” the report concluded. “It is a safeguard for our personal secrets and economic prosperity. It helps to prevent crime and protect national security. The widespread use of encryption technologies also complicates the missions of the law enforcement and intelligence communities. As described in this report, those complications cannot be ignored. This is the reality of modern society. We must strive to find common ground in our collective responsibility: to prevent crime, protect national security and provide the best possible conditions for peace and prosperity.”

Photo © Den Rise

Source: Information Security Magazine

A Malware Cocktail Shakes Up Cerber Ransomware Infections

A Malware Cocktail Shakes Up Cerber Ransomware Infections

The cyber-criminals behind a fresh ransomware campaign are celebrating the new year with a malware cocktail—one that’s spreading the Cerber ransomware.

According to Heimdal Security, this ongoing ransomware campaign packs a big punch against its victims, aiming for a high success rate in terms of infected systems.

It begins by compromising legitimate websites by injecting malicious scripts. The injects then redirect the victims’ internet traffic to a Cerber gateway which is known as Pseudo Darkleech, which is a type of malware infection created to add a strong obfuscation layer and keep detection rates low.

The malicious script injected into these websites is the Nemucod generic malware downloader, which is used to download and run Cerber ransomware. The attackers are exploiting vulnerabilities in Internet Explorer, Microsoft Edge, Flash Player and Silverlight to infect unsuspecting users.

“Please keep in mind that this ransomware campaign can affect both individual internet users and companies,” said Heimdal security researcher Andra Zaharia, in a blog. “What’s more, Cerber has recently started targeting companies’ databases to maximize profits from the ransom, so this is another reason to take additional precautions.”

A main hallmark of the attack is the fact that the cyberattackers are choosing to incorporate so many types of malware in a single attack—the aforementioned cocktail of Nemucod, DarkLeech and Cerber. The goal is to make the infection stealthy, so it can’t be detected and stopped by antivirus; and, to make the infection stick (persistence) until it can encrypt all the victim’s data and get to the point where it can ask for ransom and the victim feels compelled to pay for it. 

“Nemucod first emerged in December 2015 as a Trojan downloader,” Zaharia noted. “This malware downloader recently got a ton of attention when it was used in spam IMs on Facebook Messenger to spread Locky ransomware. Pseudo DarkLeech uses hidden iframe injections and randomizes elements to enable the malware to operate covertly. And Cerber, which was discovered in March 2016, is a professionally coded ransomware that provides customization options…Like Locky, Cerber appears to have access to the Dridex spam network, meaning it can be pushed out quickly in large spam campaigns.”

Victims whose data is encrypted with Cerber are usually extorted for amounts ranging from 1.24 bitcoins (BTC) to 2.48 BTC ($1,068 to $2,136 according to December 2016 rates).

To avoid becoming a victim of ransomware, users should keep their software up to date, create and maintain at least two backups of data, in different locations (in the cloud + on an external drive), and enhance browser protection. 

Photo © kentoh

Source: Information Security Magazine

Man Jailed for Part in Global Fraud Ring

Man Jailed for Part in Global Fraud Ring

Police in London are celebrating this week after a 29-year-old man was jailed for over five years for his part in a major online banking fraud ring.

Tomasz Skowron, of Meredith Road in Worthing, was sentenced on Monday at Croydon Crown Court after pleading guilty to conspiracy to defraud, fraud and money laundering offences.

The Metropolitan Police’s Falcon Cyber Crime Unit identified that Skowron had made several fraudulent payments into money mule accounts and bank accounts under his control, according to a police statement.

Using intelligence offered up by the banking industry, they traced back an IP address associated with the payments to Skowron’s house, back in 2014.

There they apparently found more incriminating evidence on his computers and phones. Text messages sent to accomplice Piotr Ptach are said to have revealed that he was in the process of identifying and recruiting new money mules.

Skowron was also linked to two Man in the Middle cyber-attacks against UK construction firms in April that year.

Malware covertly downloaded to victims’ machines enabled cyber-criminals to monitor their bank account details and then hijack accounts to illegally transfer funds out.

The two companies involved in the scheme are said to have lost £500,000 as a result, with £39,000 transferred into an account Skowron had opened only nine days before the scam.

Ptach was handed down three years at Southwark Crown Court earlier this year.

"Skowron played a significant part in a wider criminal network that was responsible for several high-value frauds using malware,” explained Detective Constable Jody Stanger, from the Met’s Falcon unit.

“The proceeds of this fraud were then laundered through an organized money mule network. This conviction and sentence is the culmination of a long and complex investigation and shows that we will relentlessly pursue criminals involved in serious and organised crime online."

Source: Information Security Magazine

Cyber-criminals Offer Christmas Ransomware Discount

Cyber-criminals Offer Christmas Ransomware Discount

Cyber-criminals appear to be getting into the Christmas spirit, with one group offering ransomware victims who intend to pay a festive discount of more than half the original cost.

Security vendor Forcepoint spotted the seasonal campaign from the black hats behind the CryptXXX ransomware variant.

Whereas the group typically charges victims 1.2 Bitcoin ($1040) to get their files back, the special Christmas price is now 0.5 Bitcoin ($433).

The new pop-up window apparently displays once the user has decided to pay up and clicks through to one of the Tor-based payment sites.

CryptXXX is one of the few ransomware families that security researchers have had success with, releasing a decryptor tool for it back in May.

However, that effort and a second tool were both rendered useless by new versions of the ransomware developed to circumvent these efforts.

In the meantime, ransomware continues to cause businesses and consumers chaos and misery.

There was one attack every 40 seconds on businesses by Q3 and one in 10 seconds targeting consumers, according to Kaspersky Lab.

Meanwhile, Trend Micro claimed new ransomware families spiked an astonishing 400% between January and September this year, thanks to code that was made publicly available.

However, the vendor predicted more modest growth of 25% in 2017 – translating as an average of 15 new families each month.

It also claimed that cyber-criminals would increasingly look to Business Email Compromise (BEC) scams to generate larger profits.

The average payout for a successful BEC or CEO fraud attack is $140,000, versus just one Bitcoin ($869) for a ransomware attack, the vendor said in its 2016 predictions report.

This year, the true scale of the ransomware epidemic in the UK began to emerge, thanks to a series of Freedom of Information (FoI) requests from various parties.

Over half of the country’s universities have been hit by at least one attack in the past year, while 47% of NHS Trusts claimed the same.

Also, at least 30% of UK councils fell victim in 2015, according to separate research.

Source: Information Security Magazine

Groupon Customer Anger After Account Fraud Hits Site

Groupon Customer Anger After Account Fraud Hits Site

Deals site Groupon has come in for fierce criticism after customers started complaining that their accounts had been compromised and used to purchase hundreds of pounds’ worth of goods fraudulently.

Reports of the account fraud have been trickling in since the start of the month, with users furious with the US site’s slow response – in some cases being told it will take at least 10 days to review their case, according to MoneySavingExpert.

Groupon claimed that its own infrastructure has not been penetrated by hackers, meaning that the fraudsters are likely trying re-used credentials compromised from a separate breach or individual phishing attacks.

A statement sent to Infosecurity had the following:

"I can confirm there has been no security breach to our website or mobile app. What we are seeing however is a very small number of customers who have had their account taken over by fraudsters. Fraudsters have a number of ways in which they can obtain your login details to a website including phishing e-mails, trojan attacks, spyware and malware. By using these methods, it’s possible for fraudsters to get customer account information, log in and make purchases."

The firm added that if it can confirm fraud has taken place it will immediately block the account in question and refund the customer's money.

"With the massive data breaches announced last week by Yahoo – remember it was one billion accounts – it has never been more important to use different passwords on every site and use 2FA where possible,” argued Richard Meeus, VP of technology EMEA at NSFOCUS.

"Using the same username and password on every site should not be happening anymore. We need to change user apathy towards passwords, and maybe also get website owners to be more proactive in supporting their customers by checking their user databases against the lists of breached accounts."

The incident raises interesting questions about where responsibility should lie for preventing this kind of fraud. There have been a spate of similar attacks of late, including ones which compromised customer accounts at delivery firm Deliveroo and National Lottery provider Camelot.

“Large companies normally should have advanced anti-fraud systems, such as detection of unusual user activity or suspicious behavior. Nowadays machine learning technologies can do this pretty well. For low-score alerts users should receive a notification and a possibility to instantly block the transaction. For high or repetitive low score alerts, accounts must be temporarily suspended until user identity is verified,” explained Ilia Kolochenko, CEO of web security firm, High-Tech Bridge.

“This is not an easy task though, as you can erroneously block a legitimate user from making a purchase, and some companies prefer to allow criminal activities rather than investing in advanced anti-fraud systems with low level of false-positives, putting their users at great risk. If fraud prevention systems are not properly implemented, consumers may have a valid reason to sue negligent retailers and claim reimbursement for their financial losses.”

Christmas is one of the biggest times of the year for fraudsters as they look to capitalize on the fact that retailers may be more focused on profits than cybersecurity.

Fraud prevention firm ThreatMetrix claimed last month that UK retailers would face one million fraud attempts each day in the run up to Christmas.

Source: Information Security Magazine

Russian Criminals Rake in Millions Per Day in Video Ad Impressions

Russian Criminals Rake in Millions Per Day in Video Ad Impressions

Russian cyber-criminals are siphoning off millions of advertising dollars per day from US media companies and brand-name advertisers, according to security analysis. It is the single most profitable bot operation discovered to date.

Using an army of automated web browsers run from fraudulently acquired IP addresses, the Methbot operation is “watching” as many as 300 million video ads per day on falsified websites designed to look like premium publisher inventory. More than 6,000 premium domains were targeted and spoofed, enabling the operation to attract $3 million to $5 million per day in real advertising dollars. About 200 million to 300 million video ad impressions are generated per day on fabricated inventory.

Dubbing the bot Methbot because of references to “meth” in its code, WhiteOps said that this operation produces massive volumes of fraudulent video advertising impressions by commandeering critical parts of internet infrastructure and targeting the premium video advertising space.

“Advertisers often rely on data stored on a user’s machine in cookies to target advertising against demographic information, browser histories, past purchases and many other data points,” WhiteOps explained. “Methbot operators use this industry approach to their advantage and stuff crafted cookies into fake web sessions by leveraging a common open source library, which allows them to maintain persistent identities containing information known to be seen electronically as valuable to advertisers. In this way, they take advantage of the higher CPMs advertisers are willing to spend on more precisely targeted audiences.”

Methbot operators forge tried-and-true industry measures of humanity. Cursor movements and clicks are faked and multiple viewability measures are faked to further mimic observed trends in human behavior. Additionally, sophisticated techniques are employed to provide an even more convincing picture of humanity: It forges fake social network login information to make it appear as if a user is logged in when an impression occurs.

“Since both human audiences and premium publisher inventory are in high demand, Methbot focuses on manufacturing both of these as its product,” WhiteOps explained. “By supplying faked audiences and hijacking the brand power of prestigious publishers through faked domains and falsified inventory, Methbot is able to siphon away millions in real advertising dollars.”

The measured impact to the advertising ecosystem is unprecedented, the firm added. By fabricating as much as $5 million in video advertising inventory per day, Methbot far exceeds the financial damages done by previously discovered botnets. ZeroAccess is thought to have collected as much as $900,000 per day, the Chameleon Botnet up to $200,000 per day, and HummingBad up to $10,000 per day.

250,267 distinct URLs have been spoofed to falsely represent inventory, with 6,111 premium domains targeted and spoofed. The effort is being undertaken from 800 to 1,200 dedicated servers operating from data centers in the United States and the Netherlands.

“This analysis is possibly only a fraction of Methbot’s true impact,” WhiteOps concluded. “Because WhiteOps is only able to analyze data directly observed by White Ops, the total ongoing monetary losses within the greater advertising ecosystem may be larger.”

Photo © Marta Design

Source: Information Security Magazine

Despite Successful Attacks, Orgs Aren't Upping Security Budgets

Despite Successful Attacks, Orgs Aren't Upping Security Budgets

Despite significant concerns over both new threats (ransomware, specifically) and age-old, persistent ones (users unknowingly triggering attacks), for the majority of organizations, next year’s security plan essentially boils down to more of the same.

That’s according to Barkly’s Cyber Attack Statistics 2016 report, which found that when asked what adjustments they were planning on making to their security stack to better protect themselves from cyberattacks in 2017, nearly two-thirds of IT pros reported no changes were planned.

Only a slightly larger percentage of attack victims indicated they were making changes and improvements next year (31% compared to 23% of respondents, overall).

Even fewer organizations have plans to change or augment their antivirus solution: That's in spite of additional responses indicating antivirus performance was clearly a mixed bag. Of the organizations that acknowledged experiencing attacks, more than half reported their antivirus had been bypassed by one or more of them.

Meanwhile, the report shows that one third of the IT pros surveyed reported that their security had been bypassed by a cyberattack in 2016. Nearly six out of 10 respondents reported being aware that their organization was the target of one or multiple cyberattacks during 2016. And for more than half of the IT pros who reported experiencing attacks, the security they had in place unfortunately wasn’t enough to stop all of them. About 54% of those who were targeted suffered one or more successful attacks.

The numbers are even worse for organizations that were targets of ransomware attacks (57% of organizations that experienced attacks, overall): 71% of organizations targeted with ransomware attacks were infected.

 “To recap, the majority of organizations out there are getting attacked,” said Barkly blogger Jonathan Crowe. “More than half of those organizations are getting infected. The protection they have in place is getting bypassed. Yet the majority aren't making any adjustments to change that.”

For some, the simple answer might be that they can't—they don't have the budget or support. Nearly 60% of the IT pros surveyed expect their 2017 IT security budget to decrease or stay the same. Only a third are planning to have more budget to work with. 

Photo © Den Rise

Source: Information Security Magazine